How to: Configure your Domain Server to sync the time over the Internet (Network Time Protocol – NTP)
How to: Configure your Domain Server to sync the time over the Internet (Network Time Protocol – NTP)
The Windows Time service provides time synchronization to peers and clients, which ensures consistent time throughout an enterprise. I´ve been struggling with getting my Domain to not end up with strange times. The issue at hand is that my Domain Controller is a Virtual Machine and I am guessing the host does not do a good job keeping track of the time. You can imagine how this could end up. Fortunately its usually just a few seconds and soon enough the entire domain is behind the rest of the world but consistently behind. In order to avoid this I researched how to configure Windows Server to use the Network Time Protocol to query external servers.
By default, the first domain controller that you deploy holds the primary domain controller (PDC) emulator operations master role. Set the PDC emulator to synchronize with a valid Network Time Protocol (NTP) source. If you have not configured a source, the Windows Time service logs a message to the event log, and then uses the local clock when it provides time to clients.
Configure the Windows Time service to synchronize with an external time source. External time sources allow users to synchronize computer clocks through the NTP protocol over an IPv4 or IPv6 network.
The Microsoft time server (time.windows.com) uses NIST, the National Institute of Standards and Technology, located in Boulder, Colorado, as its external time provider. NIST provides the Automated Computer Time Service (ACTS), which can set a computer clock with an uncertainty of less than 10 milliseconds. The U.S. Naval Observatory (USNO) Time Service Department in Washington, D.C., is another source for accurate time synchronization in the United States. Many other sites exist throughout the world that you can use for time synchronization.
Note |
---|
Because synchronization with an external time source is not authenticated, it is less secure. |
- Log on to the first domain controller that you deployed.
- At a command prompt, type the following command (where <target> is the computer you are trying to see how off it is and <number> determines the number of samples (or comparisons) it is going to make. I would say 10 would suffice to get an idea), and then press ENTER:w32tm /stripchart /computer:<target> /samples:<number> /dataonly
- Open User Datagram Protocol (UDP) port 123 for outgoing traffic, if needed.
- Open UDP port 123 for incoming NTP traffic.
- Type the following command to configure the PDC emulator, and then press ENTER:w32tm /config /manualpeerlist:<peers> /syncfromflags:manual /reliable:yes /update
- I personally use the following:
w32tm /config /manualpeerlist:”time.windows.com time.nist.gov time-nw.nist.gov time-a.nist.gov time-b.nist.gov” /syncfromflags:manual /reliable:yes /update
After you are done configuring the peer list you can start the sync process manually by typing w32tm /config /update, which indicates the OS that you’ve made changes and that they are ready. I am not entirely sure but this results in a slow sync, while the w32tm /resync command forces it to re-synchronize immediately. So in the first scenario it will move about 1/3 of a second every second towards the peer’s time while in the other case it will jump straight to it.
Parameter | Description |
---|---|
W32tm /stripchart | Displays a strip chart of the offset between synchronizing computers. |
W32tm /config /update | Configures the PDC emulator. |
/computer:<target> | Specifies the Domain Name System (DNS) name or IP address of the NTP server whose time you want to compare to the local computer’s time. An example of an NTP server is time.windows.com. |
/samples:<number> | Specifies the number of time samples that the target computer returns. |
/dataonly | Specifies that results show only data, not graphics. |
/manualpeerlist:<peers> | Specifies the list of DNS names or IP addresses for the NTP time source with which the PDC emulator synchronizes. (This list is referred to as the manual peer list.) For example, you can specify time.windows.com as the NTP time server. When you specify multiple peers, use a space as the delimiter and enclose the names of the peers in quotation marks. |
/syncfromflags:manual | Specifies to synchronize time with peers in the manual peer list. |
/reliable:yes | Specifies that the computer is a reliable time service. |
Note |
---|
When you specify a peer that is in the manual peer list, do not use the DNS name or IP address of a computer that uses the forest root domain controller as its source for time, such as another domain controller in the forest. The time service does not operate correctly if there are cycles in the time source configuration. |
For more information about configuring and deploying the Windows Time service, see Administering the Windows Time Service (http://go.microsoft.com/fwlink/?LinkId=93658).
Below is the Technet Syntax and parameter explanation:
W32tm
You can use the W32tm.exe tool to configure Windows Time service (W32time) settings. You can also use W32tm.exe to diagnose problems with the time service. W32tm.exe is the preferred command-line tool for configuring, monitoring, or troubleshooting the Windows Time service. For examples of how you can use this command, see Examples.
Syntax
W32tm </parameter> </param2>
Parameters
Parameter | Description |
---|---|
W32tm /? | W32tm command-line Help |
W32tm /register | Registers the time service to run as a service, and adds default configuration to the registry. |
W32tm /unregister | Unregisters the time service, and removes all configuration information from the registry. |
w32tm /monitor
[/domain:<domain name>] [/computers:<name>[,<name>[,<name>…]]] [/threads:<num>] |
Domain—Specifies which domain to monitor. If no domain name is specified, or neither the domain nor computers option is specified, the default domain is used. This option might be used more than once.
computers—Monitors the given list of computers. Computer names are separated by commas, with no spaces. If a name has a prefix of a ‘*’, it is treated as a primary domain controller (PDC). You can use this option more than once. threads—Specifies the number of computers to analyze simultaneously. The default value is 3. The allowed range is 1 through 50. |
w32tm /ntte <NT time epoch> | Converts a Windows NT system time, in (10^-7)s intervals from 0h 1-Jan 1601, into a readable format. |
w32tm /ntpte <NTP time epoch> | Converts a Network Time Protocol (NTP) time, in (2^-32)s intervals from 0h 1-Jan 1900, into a readable format. |
w32tm /resync
[/computer:<computer>] [/nowait] [/rediscover] [/soft] |
Tells a computer that it should resynchronize its clock as soon as possible, throwing out all accumulated error statistics.
computer:<computer>—Specifies the computer that should resynchronize. If a computer is not specified, the local computer will resynchronize. nowait—Do not wait for the resynchronization to occur; return immediately. Otherwise, wait for the resynchronization to complete before returning. rediscover—Redetect the network configuration and rediscover network sources; then, resynchronize. soft—This option is only provided for compatibility with older time servers and will resynchronize using existing error statistics.. |
w32tm /stripchart
/computer:<target> [/period:<refresh>] [/dataonly] [/samples:<count>] [/packetinfo] [ipprotocol:<4|6> |
Displays a strip chart of the offset between this computer and another computer.
computer:<target>—The computer to measure the offset against. period:<refresh>—The time between samples, in seconds. The default value is 2 seconds. Dataonly—Display only the data, without graphics. samples:<count>—Collect <count> samples; then, stop. If a value is not specified, samples will be collected until the user types Ctrl+C is pressed. packetinfo—Print out NTP packet response message. Ipprotocol—Specify the IP protocol to use. The default is to use whatever is available. |
w32tm /config
[/computer:<target>] [/update] [/manualpeerlist:<peers>] [/syncfromflags:<source>] [/LocalClockDispersion:<seconds>] [/reliable:(YES|NO)] [/largephaseoffset:<milliseconds>] |
computer:<target>—Adjusts the configuration of <target>. If a value is not specified, the default is the local computer.
update—Notifies the time service that the configuration has changed, causing the changes to take effect. manualpeerlist:<peers>—Sets the manual peer list to <peers>, which is a space-delimited list of Domain Name System (DNS) and/or IP addresses. When you are specifying multiple peers, this option must be enclosed in quotation marks (“). syncfromflags:<source>—Sets what sources the NTP client should synchronize from. <source> should be a comma-separated list of these keywords (not case sensitive):
LocalClockDispersion:<seconds>—Configures the accuracy of the internal clock that W32time will assume when it cannot acquire time from its configured sources. reliable:(YES|NO)—Set whether this computer is a reliable time source. This setting is meaningful only on domain controllers.
largephaseoffset:<milliseconds>—Sets the time difference between local time and network time that W32time will consider to be a spike. |
w32tm /tz | Displays the current time zone settings. |
w32tm /dumpreg
[/subkey:<key>] [/computer:<target>] |
Displays the values that are associated with a given registry key.
The default key is HKLM\System\CurrentControlSet\Services\W32Time (the root key for the time service). subkey:<key>—Displays the values that are associated with subkey <key> of the default key. computer:<target>—Queries registry settings for computer <target>. |
w32tm /query [/computer:<target>] {/source | /configuration | /peers | /status} [/verbose] | This parameter was first made available in the Windows Time client versions of Windows Vista, and Windows Server 2008.
Displays a computer’s Windows Time service information. computer:<target>—Query the information of <target>. If a value is not specified, the default value is the local computer. source—Display the time source. configuration—Display the configuration of run time and where the setting comes from. In verbose mode, display the undefined or unused setting also. peers—Display a list of peers and their status. status—Display Windows Time service status. verbose—Set the verbose mode to display more information. |
w32tm /debug {/disable | {/enable /file:<name> /size:<bytes> /entries:<value> [/truncate]}} | This parameter was first made available in the Windows Time client versions of Windows Vista and Windows Server 2008.
Enables or disables local computer Windows Time service private log. disable—Disable the private log. enable—Enable the private log.
truncate—Truncate the file if it exists. |
Remarks
The Windows Time service is not a full-featured NTP solution that meets time-sensitive application needs, and it is not supported by Microsoft as such. For more information, see article 939322 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=179459).
If you have questions about the Windows Time service, please post them to the Directory Services forum (http://go.microsoft.com/fwlink/?LinkId=195451).
Examples
If you want to set the local Windows Time client to point to two different time servers, one named ntpserver.contoso.com and another named clock.adatum.com, type the following command at the command line, and then press ENTER:
w32tm /config /manualpeerlist:ntpserver.contoso.com,clock.adatum.com /syncfromflags:manual /update
For a list of valid NTP servers that are available on the Internet for external time synchronization, see article 262680 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=60401).
If you want to check the Windows Time client configuration from a client computer running Windows 7 that has a host name of CONTOSOW1, run the following command:
W32tm /query /computer:contosoW1 /configuration
The output of this command is a list of configuration parameters that are set for the Windows Time client.
Additional references
Love
Can we use Let's Encrypt, the free and open certificate authority?
Hola! gracias por la info, me sirvió el comando sacandole el nombre del server. En mi caso, fue una migración…
Yes 3rd option helped me too. I removed the WC key Values from config file then started working.
I know this is from 2014. But really, thank you!